Keeping your WordPress site secure

November 21, 2017

Teiss guest blogger and WordPress guru Alex Grant from BestVPN, shares his expertise on keeping blogs and website that use WordPress secure.

Did you know that 60% of small and medium-sized businesses are at risk of going out if business as a result of a cyber attack? An average SME or solo blogger may not be able to get over the devastating monetary or reputation consequences of a hack.

WordPress powers the majority of small business websites and blogs. If you are reading this, it might be powering your website. The security of your content management system must not be an afterthought.

Having a rational security strategy, rather than patching things haphazardly when disaster strikes, is essential.

This strategy needs to be comprehensive and should encompass everything: from fundamentals such as securing your WordPress installation; through less apparent but important tweaks like disabling WordPress API and XML-RPC; to drafting a disaster preparedness and recovery plan.

Secure your WordPress back-end

Patch your software

Begin by keeping your WordPress core and third-party plugins and themes up-to-date. Updates aren’t just for improved functionality but also for security. They bring patches and fixes for faults that have been discovered in the code.

Delete unnecessary software

Delete, don't just disable, everything you’re not using. Avoid accumulating a clog of unused and outdated plugins and themes. As long as they are installed, hackers can exploit vulnerabilities in them.

Harden the back-end

Consider the following measures to harden your WordPress back-end:

Change your admin username: don’t facilitate brute-force hacking. Go to your dashboard and click on Users; then select Add New; fill out user information and assign the role of Administrator; finally Add New User and then delete the old admin username.

Install spam protection. Spam is more than just an annoying thing: it can get your blog in trouble with Google if spam comments contain malicious links. The Akismet plugin is free and straightforward, but you can also do it through Sucuri and the official WordPress Security plugin.

Hide your WordPress version number because it tells hackers what vulnerabilities they can exploit in your installation, especially if you don’t update for some reason. To filter out your WordPress version number and hide it from public view, do this: backup your site; then go to Appearance/ Editor; now click Theme Functions file and type: add_filter('the_generator',''); next hit Update File.

Disable WordPress REST API (designed to let developers integrate custom-built programs into WordPress) and XML-RPC (enables remote access and posting). Both can be used by malicious actors to bypass WordPress two-factor authentication. So, if you’re not building custom apps for WordPress or posting remotely, disable them both. The Disable REST API and Disable XML-RPC plugins will do the job: no need to tweak the code manually.

Lock out multiple sign-on attempts with WP Limit Login plugin to prevent brute-forcing scripts and bots from breaching your authentication protection. It lets you put a cap on the number of login attempts one can try within a set time, as well as customize the lock-down time, and enable captcha.

Consider adding an internal monitoring system like Wordfence or Sucuri to take care of the security micro-management tasks for you. Both solutions have paid and free plans, so you can cover your basic security needs and top them with an SSL certificate.

Restrict user permissions: allow only the minimum privileges a user requires to do their job. Consider installing the Force Strong Passwords plugin to ensure your users have strong passwords. If you have the latest WordPress version, you don’t need a third-party plugin since WordPress is taking care of that.

Secure your hosting

The right hosting provider

Securing your hosting begins with choosing the right hosting provider in the first place. Look for a provider that caters to WordPress specifically, and consider dedicated server as opposed to shared one, if possible. Pay attention to their security features and inquire if they offer SSL certificate-bundled, or as a standalone product.

SSL and HTTPS

Install SSL certificate and HTTPS to encrypt the data between your readers’ browsers and your server. This will prevent hackers from intercepting unencrypted traffic and allow your website to have a better reputation with Google. While many hosting providers offer SSL certificates, you can also get one for free from Let’s Encrypt or Sucuri, in which case ask your hosting provider if they can help you install it.

Update file permissions

Update file permissions to remove the default 777 permissions, which is often exploited by hackers. Change your WordPress directories permissions from 777 to 750 or 755 via FTP, and for your wp-config.php, change 600 to 640 or 644. You’ll still be able to access and edit them, but no one without additional permissions would be able to delete or modify them.

Disable PHP Error reporting

Disable PHP Error reporting because it exposes full server paths every time your server sends you a report. To do this, you need to access your wp-config.php file and put the following piece below the first line: error_reporting(0); @ini_set('display_errors',0); You can always enable it back on when you need to troubleshoot PHP errors.

Have a disaster preparedness plan

Do backups the right way. Backups should be automatic, incremental, redundant and stored in several locations. Don’t rely on manual backups. And always have monthly, weekly, and daily backups stored in several different locations, such as in the cloud, with your web host, and locally on your hard drive or external drive.

Prepare a temporary page that will inform your readers that your website is down and that you’re working on a fix.

Prepare a plan for how you can re-deploy your blog and account for a possibility to redirect your traffic somewhere while your blog is down.

Secure endpoint devices and email accounts: each device you use to access your site is an integral part of your WordPress security. So, introduce complex passwords, PINs, and two-factor authentication on your smartphones, laptops, and administrative emails. Don’t blog while connected to insecure public Wi-Fi, unless you’re using a trusted VPN.

As you can see, most of the WordPress security tweaks do not require very advanced tech skills (although it's true that many users will need help with these instructions). If you’ve come as far as to set up your WordPress blog, you can spare another 30 minutes to make sure it is secure.

At the end of the day, better security translates into higher ranking and a solid reputation among your readers. Trust me!

The Information Commissioner's Office is investigating allegations that finance company Ffrees failed to inform affected customers after it suffered a data breach earlier this year. Ffrees claims that it notified …